analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Quote.img.iso

Full analysis: https://app.any.run/tasks/27dc9bc3-29c8-4df9-8219-e3d17e3a918e
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: September 19, 2019, 09:57:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
agenttesla
evasion
trojan
rat
Indicators:
MIME: application/x-iso9660-image
File info: UDF filesystem data (version 1.5) ''
MD5:

626B17D53A94C3B5901FF46D694E6929

SHA1:

E25712840F32F65968BC582F101FA3044E017415

SHA256:

BD8B6159AB1905DE5220D7E7D60B1AED3068BAD3A8169B4077DD5FC42E488565

SSDEEP:

12288:v+XKAYnQgO5p1ZJBcaIPwOy/TKUEkPSjx8YNJoi1qofCP:WXKAH/bJur0mnV8YHnDCP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Quote.exe (PID: 3408)
      • Quote.exe (PID: 2608)
    • AGENTTESLA was detected

      • Quote.exe (PID: 3408)
    • Actions looks like stealing of personal data

      • Quote.exe (PID: 3408)
  • SUSPICIOUS

    • Checks for external IP

      • Quote.exe (PID: 3408)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2880)
    • Connects to SMTP port

      • Quote.exe (PID: 3408)
    • Application launched itself

      • Quote.exe (PID: 2608)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 1322 kB

ISO

VolumeModifyDate: 2019:09:16 01:59:13.00-07:00
VolumeCreateDate: 2019:09:16 01:59:13.00-07:00
Software: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
VolumeSetName: UNDEFINED
RootDirectoryCreateDate: 2019:09:16 01:59:13-07:00
VolumeBlockSize: 2048
VolumeBlockCount: 661
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe quote.exe no specs #AGENTTESLA quote.exe

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Quote.img.iso"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2608"C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exeWinRAR.exe
User:
admin
Company:
sinwashing3Getae
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.01.0007
3408"C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exe
Quote.exe
User:
admin
Company:
sinwashing3Getae
Integrity Level:
MEDIUM
Version:
2.01.0007
Total events
496
Read events
472
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2880.9106\Quote.exeexecutable
MD5:F6D3CA0F2E6A3EA1732006AF1CEB11F8
SHA256:D0D3B8358A2AD65FFACB28DE98B86F6E745DBBDA6232DBC752239972745E2C80
3408Quote.exeC:\Users\admin\AppData\Local\Temp\637044875517847500_2f41157a-994b-4c2c-b860-8f8454f84a42.dbsqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3408
Quote.exe
GET
404
3.224.145.145:80
http://checkip.amazonaws.com/
US
xml
345 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3408
Quote.exe
3.224.145.145:80
checkip.amazonaws.com
US
shared
3408
Quote.exe
188.241.39.10:587
helsanaa.com
Hydra Communications Ltd
GB
malicious

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 3.224.145.145
  • 18.205.71.63
  • 34.196.181.158
  • 18.214.132.216
  • 52.44.169.135
  • 52.55.255.113
shared
helsanaa.com
  • 188.241.39.10
malicious

Threats

PID
Process
Class
Message
3408
Quote.exe
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info